fbpx
Wikipedia

Trusted Execution Technology

March 17, 2024

"LaGrande" redirects here. For the city, see La Grande, Oregon.
This article is about Intel TXT. For the Intel Trusted Execution Engine (TXE) firmware, see Intel Management Engine.

Intel Trusted Execution Technology (Intel TXT, formerly known as LaGrande Technology) is a computer hardware technology of which the primary goals are:

  • Attestation of the authenticity of a platform and its operating system.
  • Assuring that an authentic operating system starts in a trusted environment, which can then be considered trusted.
  • Provision of a trusted operating system with additional security capabilities not available to an unproven one.

Intel TXT uses a Trusted Platform Module (TPM) and cryptographic techniques to provide measurements of software and platform components so that system software as well as local and remote management applications may use those measurements to make trust decisions. It complements Intel Management Engine. This technology is based on an industry initiative by the Trusted Computing Group (TCG) to promote safer computing. It defends against software-based attacks aimed at stealing sensitive information by corrupting system or BIOS code, or modifying the platform's configuration.

Details edit

The Trusted Platform Module (TPM) as specified by the TCG provides many security functions including special registers (called Platform Configuration Registers – PCRs) which hold various measurements in a shielded location in a manner that prevents spoofing. Measurements consist of a cryptographic hash using a Secure Hashing Algorithm (SHA); the TPM v1.0 specification uses the SHA-1 hashing algorithm. More recent TPM versions (v2.0+) call for SHA-2.[1][2]

A desired characteristic of a cryptographic hash algorithm is that (for all practical purposes) the hash result (referred to as a hash digest or a hash) of any two modules will produce the same hash value only if the modules are identical.

Measurements edit

Measurements can be of code, data structures, configuration, information, or anything that can be loaded into memory. TCG requires that code not be executed until after it has been measured. To ensure a particular sequence of measurements, hash measurements in a sequence are not written to different PCRs, but rather a PCR is "extended" with a measurement. This means that the TPM takes the current value of the PCR and the measurement to be extended, hashes them together, and replaces the content of the PCR with that hash result. The effect is that the only way to arrive at a particular measurement in a PCR is to extend exactly the same measurements in exactly the same order. Therefore, if any module being measured has been modified, the resulting PCR measurement will be different and thus it is easy to detect if any code, configuration, data, etc. that has been measured had been altered or corrupted. The PCR extension mechanism is crucial to establishing a Chain of trust in layers of software (see below).

Chain of trust edit

The technology supports both a static chain of trust and a dynamic chain of trust. The static chain of trust starts when the platform powers on (or the platform is reset), which resets all PCRs to their default value. For server platforms, the first measurement is made by hardware (i.e., the processor) to measure a digitally signed module (called an Authenticated Code Module or ACM) provided by the chipset manufacturer. The processor validates the signature and integrity of the signed module before executing it. The ACM then measures the first BIOS code module, which can make additional measurements.

The measurements of the ACM and BIOS code modules are extended to PCR0, which is said to hold the static core root of trust measurement (CRTM) as well as the measurement of the BIOS Trusted Computing Base (TCB). The BIOS measures additional components into PCRs as follows:

  • PCR0 – CRTM, BIOS code, and Host Platform Extensions[a]
  • PCR1 – Host Platform Configuration
  • PCR2Option ROM Code
  • PCR3 – Option ROM Configuration and Data
  • PCR4 – IPL (Initial Program Loader) Code (usually the Master Boot Record – MBR)
  • PCR5 – IPL Code Configuration and Data (for use by the IPL Code)
  • PCR6 – State Transition and Wake Events
  • PCR7 – Host Platform Manufacturer Control

The dynamic chain of trust starts when the operating system invokes a special security instruction, which resets dynamic PCRs (PCR17–22) to their default value and starts the measured launch. The first dynamic measurement is made by hardware (i.e., the processor) to measure another digitally signed module (referred to as the SINIT ACM) which is also provided by the chipset manufacturer and whose signature and integrity are verified by the processor. This is known as the Dynamic Root of Trust Measurement (DRTM).

The SINIT ACM then measures the first operating system code module (referred to as the measured launch environment – MLE). Before the MLE is allowed to execute, the SINIT ACM verifies that the platform meets the requirements of the Launch Control Policy (LCP) set by the platform owner. LCP consists of three parts:

  1. Verifying that the SINIT version is equal or newer than the value specified
  2. Verifying that the platform configuration (PCONF) is valid by comparing PCR0–7 to known-good values (the platform owner decides which PCRs to include)
  3. Verifying that the MLE is valid, by comparing its measurement to a list of known-good measurements.

The integrity of the LCP and its lists of known-good measurements are protected by storing a hash measurement of the policy in the TPM in a protected non-volatile location that can only be modified by the platform owner.

Execute as a Trusted OS edit

Once the LCP is satisfied, the SINIT ACM allows the MLE to execute as a Trusted OS by enabling access to special security registers and enabling TPM Locality 2 level access. The MLE is now able to make additional measurements to the dynamic PCRs. The dynamic PCRs contain measurement of:

  • PCR17 – DRTM and launch control policy
  • PCR18 – Trusted OS start-up code (MLE)
  • PCR19 – Trusted OS (for example OS configuration)
  • PCR20 – Trusted OS (for example OS Kernel and other code)
  • PCR21 – as defined by the Trusted OS
  • PCR22 – as defined by the Trusted OS

The technology also provides a more secure way for the operating system to initialize the platform. In contrast to the normal processor initialization [which involved the boot-strap-processor (BSP) sending a Start-up Inter-Processor Interrupt (SIPI) to each Application Processor, thus starting each processor in "real mode" and then transitioning to "virtual mode" and finally to "protected mode"], the operating system avoids that vulnerability by performing a secure launch (a.k.a. measured launch) which puts the Application Processors in a special sleep state from which they are directly started in protected mode with paging on, and are not allowed to leave this state.[3]

Application edit

PCR values are available both locally and remotely. Furthermore, the TPM has the capability to digitally sign the PCR values (i.e., a PCR Quote) so that any entity can verify that the measurements come from, and are protected by, a TPM, thus enabling Remote Attestation to detect tampering, corruption, and malicious software. Additionally, those values can be used to identify the execution environment (the particular BIOS version, OS level, configuration, etc.) and compare them to their own lists of known-good values to further categorize the platform. This ability to evaluate and assign trust levels to platforms is known as Trusted Compute Pools.

Some examples of how Trusted Compute Pools are used:

  • Isolation – the ability to control if a platform connects to the production network or is quarantined based on its trust level or failure to pass its launch control policy.
  • Trust Based Policy – such as restricting critical apps to only execute on platforms that meet a specified trust level
  • Compliance and Auditing – demonstrating that critical, personal, or sensitive data has only been processed on platforms that meet trust requirements

Numerous server platforms include Intel TXT, and TXT functionality is leveraged by software vendors including HyTrust, PrivateCore, Citrix, and VMware. Open-source projects also utilize the TXT functionality; for example, tboot provides a TXT-based integrity system for the Linux kernel and Xen hypervisor.[4][5]

Windows 10 PCs with PCR7 Binding have the ability to enable or disable full device encryption.[6]

See also edit

Notes edit

  1. ^ CRTM is measured by the processor and initial BIOS code is measured by the ACM (all other measurements made by BIOS or other firmware code) but only after that code had been measured.

References edit

  1. ^ "SHA-1 Uses in TPM v1.2". Trusted Computing Group. Retrieved 2014-03-14.
  2. ^ "TPM 2.0 Library Specification FAQ". Trusted Computing Group. Retrieved 2014-03-14.
  3. ^ "Chapter 2.2: MLE Launch". Intel Trusted Execution Technology (Intel® TXT) Software Development Guide (PDF). Intel.
  4. ^ "tboot (Trusted Boot)". sourceforge.net. October 6, 2014. Retrieved November 16, 2014.
  5. ^ Joseph Cihula (February 28, 2011). "Trusted Boot: Verifying the Xen Launch" (PDF). xenproject.org. Retrieved November 16, 2014.
  6. ^ "Windows 8.1 includes seamless, automatic disk encryption—if your PC supports it". Ars Technica. 17 October 2013. Retrieved 18 October 2013.

External links edit

  • "Trusted Execution", Technology, Intel.
  • "Trusted Execution", Technology (PDF) (overview), Intel.
  • "Trusted Execution", Technology (PDF) (architectural overview), Intel.
  • Intel Trusted Execution Technology Software Development Guide (PDF), Intel.
  • "Virtualization", Technology, Intel.
  • Intel TXT Overview, part of Linux kernel documentation, December 1, 2014
  • Integrity management using Intel TXT, LWN.net, April 1, 2009, by Jake Edge
  • Attacking Intel Trusted Execution Technology, Black Hat Briefings, February 2009, by Rafal Wojtczuk and Joanna Rutkowska
  • Trusted Computing Technologies, Intel Trusted Execution Technology, Sandia National Laboratories, January 2011, by Jeremy Daniel Wendt and Max Joseph Guise

March 17, 2024
trusted, execution, technology, lagrande, redirects, here, city, grande, oregon, this, article, about, intel, intel, trusted, execution, engine, firmware, intel, management, engine, this, article, multiple, issues, please, help, improve, discuss, these, issues. LaGrande redirects here For the city see La Grande Oregon This article is about Intel TXT For the Intel Trusted Execution Engine TXE firmware see Intel Management Engine This article has multiple issues Please help improve it or discuss these issues on the talk page Learn how and when to remove these template messages This article relies excessively on references to primary sources Please improve this article by adding secondary or tertiary sources Find sources Trusted Execution Technology news newspapers books scholar JSTOR May 2017 Learn how and when to remove this template message This article needs additional citations for verification Please help improve this article by adding citations to reliable sources Unsourced material may be challenged and removed Find sources Trusted Execution Technology news newspapers books scholar JSTOR July 2013 Learn how and when to remove this template message Learn how and when to remove this template message Intel Trusted Execution Technology Intel TXT formerly known as LaGrande Technology is a computer hardware technology of which the primary goals are Attestation of the authenticity of a platform and its operating system Assuring that an authentic operating system starts in a trusted environment which can then be considered trusted Provision of a trusted operating system with additional security capabilities not available to an unproven one Intel TXT uses a Trusted Platform Module TPM and cryptographic techniques to provide measurements of software and platform components so that system software as well as local and remote management applications may use those measurements to make trust decisions It complements Intel Management Engine This technology is based on an industry initiative by the Trusted Computing Group TCG to promote safer computing It defends against software based attacks aimed at stealing sensitive information by corrupting system or BIOS code or modifying the platform s configuration Contents 1 Details 1 1 Measurements 1 2 Chain of trust 1 3 Execute as a Trusted OS 2 Application 3 See also 4 Notes 5 References 6 External linksDetails editThe Trusted Platform Module TPM as specified by the TCG provides many security functions including special registers called Platform Configuration Registers PCRs which hold various measurements in a shielded location in a manner that prevents spoofing Measurements consist of a cryptographic hash using a Secure Hashing Algorithm SHA the TPM v1 0 specification uses the SHA 1 hashing algorithm More recent TPM versions v2 0 call for SHA 2 1 2 A desired characteristic of a cryptographic hash algorithm is that for all practical purposes the hash result referred to as a hash digest or a hash of any two modules will produce the same hash value only if the modules are identical Measurements edit Measurements can be of code data structures configuration information or anything that can be loaded into memory TCG requires that code not be executed until after it has been measured To ensure a particular sequence of measurements hash measurements in a sequence are not written to different PCRs but rather a PCR is extended with a measurement This means that the TPM takes the current value of the PCR and the measurement to be extended hashes them together and replaces the content of the PCR with that hash result The effect is that the only way to arrive at a particular measurement in a PCR is to extend exactly the same measurements in exactly the same order Therefore if any module being measured has been modified the resulting PCR measurement will be different and thus it is easy to detect if any code configuration data etc that has been measured had been altered or corrupted The PCR extension mechanism is crucial to establishing a Chain of trust in layers of software see below Chain of trust edit The technology supports both a static chain of trust and a dynamic chain of trust The static chain of trust starts when the platform powers on or the platform is reset which resets all PCRs to their default value For server platforms the first measurement is made by hardware i e the processor to measure a digitally signed module called an Authenticated Code Module or ACM provided by the chipset manufacturer The processor validates the signature and integrity of the signed module before executing it The ACM then measures the first BIOS code module which can make additional measurements The measurements of the ACM and BIOS code modules are extended to PCR0 which is said to hold the static core root of trust measurement CRTM as well as the measurement of the BIOS Trusted Computing Base TCB The BIOS measures additional components into PCRs as follows PCR0 CRTM BIOS code and Host Platform Extensions a PCR1 Host Platform Configuration PCR2 Option ROM Code PCR3 Option ROM Configuration and Data PCR4 IPL Initial Program Loader Code usually the Master Boot Record MBR PCR5 IPL Code Configuration and Data for use by the IPL Code PCR6 State Transition and Wake Events PCR7 Host Platform Manufacturer ControlThe dynamic chain of trust starts when the operating system invokes a special security instruction which resets dynamic PCRs PCR17 22 to their default value and starts the measured launch The first dynamic measurement is made by hardware i e the processor to measure another digitally signed module referred to as the SINIT ACM which is also provided by the chipset manufacturer and whose signature and integrity are verified by the processor This is known as the Dynamic Root of Trust Measurement DRTM The SINIT ACM then measures the first operating system code module referred to as the measured launch environment MLE Before the MLE is allowed to execute the SINIT ACM verifies that the platform meets the requirements of the Launch Control Policy LCP set by the platform owner LCP consists of three parts Verifying that the SINIT version is equal or newer than the value specified Verifying that the platform configuration PCONF is valid by comparing PCR0 7 to known good values the platform owner decides which PCRs to include Verifying that the MLE is valid by comparing its measurement to a list of known good measurements The integrity of the LCP and its lists of known good measurements are protected by storing a hash measurement of the policy in the TPM in a protected non volatile location that can only be modified by the platform owner Execute as a Trusted OS edit Once the LCP is satisfied the SINIT ACM allows the MLE to execute as a Trusted OS by enabling access to special security registers and enabling TPM Locality 2 level access The MLE is now able to make additional measurements to the dynamic PCRs The dynamic PCRs contain measurement of PCR17 DRTM and launch control policy PCR18 Trusted OS start up code MLE PCR19 Trusted OS for example OS configuration PCR20 Trusted OS for example OS Kernel and other code PCR21 as defined by the Trusted OS PCR22 as defined by the Trusted OSThe technology also provides a more secure way for the operating system to initialize the platform In contrast to the normal processor initialization which involved the boot strap processor BSP sending a Start up Inter Processor Interrupt SIPI to each Application Processor thus starting each processor in real mode and then transitioning to virtual mode and finally to protected mode the operating system avoids that vulnerability by performing a secure launch a k a measured launch which puts the Application Processors in a special sleep state from which they are directly started in protected mode with paging on and are not allowed to leave this state 3 Application editPCR values are available both locally and remotely Furthermore the TPM has the capability to digitally sign the PCR values i e a PCR Quote so that any entity can verify that the measurements come from and are protected by a TPM thus enabling Remote Attestation to detect tampering corruption and malicious software Additionally those values can be used to identify the execution environment the particular BIOS version OS level configuration etc and compare them to their own lists of known good values to further categorize the platform This ability to evaluate and assign trust levels to platforms is known as Trusted Compute Pools Some examples of how Trusted Compute Pools are used Isolation the ability to control if a platform connects to the production network or is quarantined based on its trust level or failure to pass its launch control policy Trust Based Policy such as restricting critical apps to only execute on platforms that meet a specified trust level Compliance and Auditing demonstrating that critical personal or sensitive data has only been processed on platforms that meet trust requirementsNumerous server platforms include Intel TXT and TXT functionality is leveraged by software vendors including HyTrust PrivateCore Citrix and VMware Open source projects also utilize the TXT functionality for example tboot provides a TXT based integrity system for the Linux kernel and Xen hypervisor 4 5 Windows 10 PCs with PCR7 Binding have the ability to enable or disable full device encryption 6 See also editIntel vPro Next Generation Secure Computing Base Intel Management Engine Trusted ComputingNotes edit CRTM is measured by the processor and initial BIOS code is measured by the ACM all other measurements made by BIOS or other firmware code but only after that code had been measured References edit SHA 1 Uses in TPM v1 2 Trusted Computing Group Retrieved 2014 03 14 TPM 2 0 Library Specification FAQ Trusted Computing Group Retrieved 2014 03 14 Chapter 2 2 MLE Launch Intel Trusted Execution Technology Intel TXT Software Development Guide PDF Intel tboot Trusted Boot sourceforge net October 6 2014 Retrieved November 16 2014 Joseph Cihula February 28 2011 Trusted Boot Verifying the Xen Launch PDF xenproject org Retrieved November 16 2014 Windows 8 1 includes seamless automatic disk encryption if your PC supports it Ars Technica 17 October 2013 Retrieved 18 October 2013 External links edit Trusted Execution Technology Intel Trusted Execution Technology PDF overview Intel Trusted Execution Technology PDF architectural overview Intel Intel Trusted Execution Technology Software Development Guide PDF Intel Virtualization Technology Intel Intel TXT Overview part of Linux kernel documentation December 1 2014 Integrity management using Intel TXT LWN net April 1 2009 by Jake Edge Attacking Intel Trusted Execution Technology Black Hat Briefings February 2009 by Rafal Wojtczuk and Joanna Rutkowska Trusted Computing Technologies Intel Trusted Execution Technology Sandia National Laboratories January 2011 by Jeremy Daniel Wendt and Max Joseph Guise Retrieved from https en wikipedia org w index php title Trusted Execution Technology amp oldid 1172917078, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.